Main menu

Volunteer Spotlight: Alec Helps Companies Activate Onion Services

Tor is a labor of love built by a small group of committed individuals, but we’re lucky to have the support of a dedicated volunteer base who help us make Tor the strongest anonymity tool out there. The volunteer spotlight is a regular feature here on the Tor Blog, and today, we’re highlighting Alec Muffett, who built and maintains the Enterprise Onion Toolkit (EOTK), the easiest way to add an onion address to a traditional website.

Onion websites are far better than traditional ones at protecting content providers from blocking and censorship, making it hard for a state to disrupt publication or to ban its citizens from accessing a given website. Onion websites are also better at protecting users from incrimination than websites which are hosted on traditional web servers: in addition to the usual protections that Tor provides, .onion websites are guaranteed to only be accessed by people using Tor software, reducing their potential digital footprint and exposure. "There's no risk of accidentally using Internet Explorer 6," says Alec.

Alec has worked in security for 30 years, and has long recognized the importance of distributed systems and Tor’s onion routing features: “Enabling two peers to communicate with nobody 'getting between' them was part of the intention of the original internet. Nowadays there's a saying: 'if you want to share a photo with a friend, why do you have to give it to a multi-billion-dollar corporation, first?'; but Tor offers a disintermediation solution for this, and perhaps all similar, problems."

He continues: "I believe that disintermediated communication is an important capability, and so I built the Enterprise Onion Toolkit to assist publishers, writers, and virtual communities to connect directly, securely, efficiently, and without intermediaries, to their audiences and membership.”

We’re so grateful to Alec for building and maintaining such an important tool. With his help, we’re fighting against those who want to make censorship the norm and privacy a thing of the past.

Getting involved with Tor is easy: you can help us make the network faster and more decentralized by running a relay, especially if you live in a part of the world where we don’t have a lot of relays yet. You can read all of our volunteer spotlights here.

Tor is a vital tool for protecting privacy and resisting repressive censorship and surveillance. If you can, please consider making a donation today.

* that cannot be traced : yes, using p2p or tor.
* protonmail : untrust but an onion email-service provides a privacy-anonymous advantage.
* threat : the reason why they track us is very simple ; the power of the freedom of speech are in our hands and the truth could decrease their revenues.

Yes, there is. https://bitmessage.ch . It's not quite a email, it's decentralised, written in memory-safe language, no registration is needed. E-mail is deadly broken - every email, EVERY, demands my mobile phone number. Fuck this shit, we gonna have own email with blackjack and hookers.

thank you for this article i understand better your work , you effort but tor is set with sha1 & 1024.
thank you alec , you are building a new network for a safe 'service'-road but the users (2018) need a secure vehicle for driving to : tor runs in clear text.
we are waiting desperately the new version (sha 3 & curve) ...
... one more post censored ...

I think that is what they were trying to imply. I also think Tor users need to trust Tor developers, who almost certainly know more than we do about the cryptographic issues which arise in Tor design decisions.

> What level is affected? Does it mean that traffic can be dumped and decripted?

Comments in this blog frequently try to dissuade people from using Tor by making sweeping unsubstantiated claims that Tor is "unsafe" or that Tor Project is "colluding" with malign USG agencies such as CIA or NSA. Some such comments might represent genuine expressions of concern, but we do know that multiple governments (including UK, RU) mount disinformation campaigns which seek to prevent Tor userbase from growing. Because such campaigns cost money, this is in itself an indication that Tor works well enough to worry some of the most oppressive governments, the ones most determined to spy on their own citizens or even to try to "Collect it All" (an NSA slogan).

Thank you for the reply. I just went to https://trac.torproject.org/ but found another issue...Seemingly I was not privileged to create a new ticket on the issue of OFTC Web IRC as the error message was saying:

Error: Forbidden

TICKET_CREATE privileges are required to perform this operation on Ticket #None. You don't have the required permissions.

Thank you for the advice. But I have a bad news. Just after I upgraded my Linux OS packages by apt command, my localhost became to be non-bootable for some reason...I will try this challenge after I choose and install a new distribution / edition.

i would like clarify wrong assumptions :
- "hidden-services-are-all-criminal" is the motto of the fbi team for increasing their motivation.
- fake news media are elaborated by professionals writers who obey at their boss : show business.
- i never read news which have tarnished the Tor Project's reputation , in fact it was all the opposite.
Alec brings a modern dimension and the article explains well his involvement.
thx alec.

Right now, in view of the recently disclosed Meltdown family of attacks, a PC with multicore 64 bit CPUs from AMD (rather than Intel) seems preferable.

A laptop? You are probably out of luck there--- most laptops used Intel CPUs.

Looking a few years ahead, you will want to replace your new computer once drastically redesigned chips which are more resistant to Spectre attacks appear. Currently no general fix for Spectre is possible; developers of individual packages must try to insert tricky serialization instructions in just the right place to prevent bad guys from taking advantage of the security flaws inherent in "speculative execution". (Intel chips are more aggressive in how they do that, which is why they are said to be more vulnerable to Meltdown attacks, but essentially all chips in any electronic device save some IoT devices are vulnerable to Spectre attacks.)

Choice of operating system is also important. I think Linux is a no-brainer, and I think Debian is the best choice there. Many prefer Ubuntu, but Ubuntu comes from a company which has often made poor choices in trading off security viz usability (and making money by gathering information on the minute by minute activities of their users--- c.f. the scandal over their desktop search).

For daily activities which involve interaction with the Internet, you should consider using Tails, the "amnesiac" Torified version of Debian. See tails.boum.org for a free download, and make sure to verify the detached signature using GPG before burning. Note you can boot Tails from either a DVD or USB. A r/o DVD offers much better security but a USB or r/w DVD is more convenient.

You will probably want to try to check that your new PC doesn't have bluetooth and other vulnerable services running by default, or that you have disabled these. If your city has installed "smart meters", these may try to connect to your computer via Bluetooth or another easily abused protocol, so watch your back. IOActive often publishes security vulnerabilities in IoT devices (after giving makers a chance to fix the flaws).

If you are concerned about cybersecurity, privacy, or anonymity, you should do everything in your power to keep IoT devices, IP video cameras, etc. out of your living and office spaces. In-home surveillance is rapidly increasing, so that's another worry besides Internet dragnets.

See eff.org "Surveillance Self Defense" site for much more good advice from one of the most trusted US NGOs concerned with privacy and cybersecurity issues. Read EFF's Deeplinks blog and the aclu.org blog for news relevant to surveillance. Read The Intercept, The Register (in the UK), Propublica, Wired, etc. for news relevant to dragnet surveillance and cybersecurity flaws. Read amnesty.org and hrw.org for news about human rights violations around the world.

Last but not least, see EFF's repository of many (not all) published Snowden leaked documents, plus newly leaked documents which are frequently published by The Intercept and publicintelligence.net. These will give you a much better appreciation of the real capabilities of our enemies, and also of the kinds of systemic problems they themselves face and have been unable to resolve.

State-sponsored attackers who target bloggers, journalists, NGOs, and their readers/supporters are scary and dangerous. But The People *can* fight them--- and win!

I don't where else to post this. CHECK.TORPROJECT.ORG has been unreachable (e.g., directly or ping: 100% packet loss) for several hours so I can't confirm my connection. This happens periodically. Is there a way to report this directly to someone who can hit the "reset" button? THANK YOU.

Many thanks to Alec and others for all their work promoting the "onions everywhere" campaign (modeled on EFF's highly successful campaign "https everywhere").

May I suggest a few US news organizations which I think would be receptive to TP volunteering to help them set up an onion offering their content via the Tor network, for extra security?

o thehill.com: non-partisan newspaper covering the US Congress (news and guest editorials from right and left); often read by staffers and lobbyists, one of the few important papers in the US which does not yet even have https.

o motherjones.com, theatlantic.com, truthdig.com, truth-out.org: venerable generally left leaning offering news and editorials; The Atlantic is also widely read by US policymakers.

I'd love to hear Alec's thoughts on the suggestion that a future NYC Tor meetup might brainstorm how to develop into a workable campaign the notion that onions might offer a more secure way for ordinary people to do on-line banking. Since NYC is the financial capital of the US, or even of the world, the geography would appear to be favorable.

More generally, I hope Tor visionaries will develop the general suggestion that the Tor network can be scaled up and expand its purpose to include "better cybersecurity for everyone doing anything on the web", e.g. shopping, banking, reading less easily faked news.

Speaking of geography, I suggest that regions where TP should try hard to provide more resources (e.g. more nodes) include:

o Brazil and other Latin American countries

o Eastern Europe: despite the resurgence of Nazi ideologies, there is a big backlash from younger people who recognize that readopting a very thoroughly and long disproven ideology (Nazism) is political suicide; young people want to see real change.

Looking more than a year ahead, it is very encouraging that more young people in CN are speaking out against the lack of privacy and personal freedoms there. My sense is that they mostly accept the one-party system in CN, just want the CP to be responsive to their desire for greater privacy and freedom of expression. Because Tor and freedom of information is so heavily discouraged by the CN government, promoting Tor in CN no doubt requires extra care, but it is certainly something we should want to try to do.

o Eastern Europe: the world is built by the nationalist since they are able to share, struggle, suffer, work together for the happiness of all.
the fake residents project their hate vs the native one & you call that nazism ...
let's be serious & in what is it related at Tor ?

could you explain to us the reason why the sks-keyserver certificate is not included in the TorBrowser ?
should not it be a safe measure for the users (and for the onion-site) when they use onion-service ?
tia

I am not exactly sure what you mean but we don't mess with the default certificates shipped in Firefox. So, my guess is that the certificate is not included in Firefox ESR 52 and as Tor Browser is built on it it won't have it either.

Recent Updates

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.0.1-alpha from the usual place on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely by the end of the month.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

Tor 0.4.0.1-alpha is the first release in the new 0.4.0.x series. It introduces improved features for power and bandwidth conservation, more accurate reporting of bootstrap progress for user interfaces, and an experimental backend for an exciting new adaptive padding feature. There is also the usual assortment of bugfixes and minor features, all described below.

Changes in version 0.4.0.1-alpha - 2019-01-18

Major features (battery management, client, dormant mode):

When Tor is running as a client, and it is unused for a long time, it can now enter a "dormant" state. When Tor is dormant, it avoids network and CPU activity until it is reawoken either by a user request or by a controller command. For more information, see the configuration options starting with "Dormant". Implements tickets 2149 and 28335.

The client's memory of whether it is "dormant", and how long it has spent idle, persists across invocations. Implements ticket 28624.

There is a DormantOnFirstStartup option that integrators can use if they expect that in many cases, Tor will be installed but not used.

Major features (bootstrap reporting):

When reporting bootstrap progress, report the first connection uniformly, regardless of whether it's a connection for building application circuits. This allows finer-grained reporting of early progress than previously possible, with the improvements of ticket 27169. Closes tickets 27167 and 27103. Addresses ticket 27308.

When reporting bootstrap progress, treat connecting to a proxy or pluggable transport as separate from having successfully used that proxy or pluggable transport to connect to a relay. Closes tickets 27100 and 28884.

Tor 0.3.5.7 is the first stable release in its series; it includes compilation and portability fixes, and a fix for a severe problem affecting directory caches. Tor 0.3.4.10 and 0.3.3.11 are also released today; please see the official announcements for those releases if you are tracking older stable versions.

The Tor 0.3.5 series includes several new features and performance improvements, including client authorization for v3 onion services, cleanups to bootstrap reporting, support for improved bandwidth- measurement tools, experimental support for NSS in place of OpenSSL, and much more. It also begins a full reorganization of Tor's code layout, for improved modularity and maintainability in the future. Finally, there is the usual set of performance improvements and bugfixes that we try to do in every release series.

There are a couple of changes in the 0.3.5 that may affect compatibility. First, the default version for newly created onion services is now v3. Use the HiddenServiceVersion option if you want to override this. Second, some log messages related to bootstrapping have changed; if you use stem, you may need to update to the latest version so it will recognize them.

We have designated 0.3.5 as a "long-term support" (LTS) series: we will continue to patch major bugs in typical configurations of 0.3.5 until at least 1 Feb 2022. (We do not plan to provide long-term support for embedding, Rust support, NSS support, running a directory authority, or unsupported platforms. For these, you will need to stick with the latest stable release.)

Below are the changes since 0.3.5.6-rc. For a complete list of changes since 0.3.4.9, see the ReleaseNotes file.

Changes in version 0.3.5.7 - 2019-01-07

Major bugfixes (relay, directory):

Always reactivate linked connections in the main loop so long as any linked connection has been active. Previously, connections serving directory information wouldn't get reactivated after the first chunk of data was sent (usually 32KB), which would prevent clients from bootstrapping. Fixes bug 28912; bugfix on 0.3.4.1-alpha. Patch by "cypherpunks3".